| 1 |
On 03/03/2010 17:35, Natanael Copa wrote: |
| 2 |
> On Wed, Mar 3, 2010 at 5:14 PM, Ed W<lists@××××××××××.com> wrote: |
| 3 |
> |
| 4 |
> |
| 5 |
>> I don't have physical access to all machines, so any interesting cheap |
| 6 |
>> random number generator dongles would be interesting to know about, but will |
| 7 |
>> not be a full solution in this case. If I'm missing some obvious option |
| 8 |
>> which is available on recent Intel/AMD hardware which might give me larger |
| 9 |
>> amounts of entropy then please shout? |
| 10 |
>> |
| 11 |
> media-sound/audio-entropyd? |
| 12 |
> |
| 13 |
> |
| 14 |
|
| 15 |
Thanks for the idea - the server is a rackmount thing rented from a |
| 16 |
hosting company and I don't think it has any soundcard onboard... |
| 17 |
|
| 18 |
I believe that the kernel doesn't use the network interrupt for |
| 19 |
randomness, only keyboard, mouse and HD. This isn't a great situation |
| 20 |
for a headless, mouseless webserver which tries as hard as possible not |
| 21 |
to touch the disk... |
| 22 |
|
| 23 |
I ordered an "Entropy Key" from here: http://www.entropykey.co.uk/ |
| 24 |
|
| 25 |
This will help for the office server, but it doesn't really sort out my |
| 26 |
rented racks (no, don't really want some crazy solution involving ssh |
| 27 |
piping the data to it...) |
| 28 |
|
| 29 |
Would be very grateful for any other ideas here. I think the solution is |
| 30 |
likely to use a lower quality rng source for the SSP protection rather |
| 31 |
than generating more entropy - I'm not really see that a super high |
| 32 |
quality rng source is really needed for SSP? Possibly a local attacker |
| 33 |
can write code which flogs the rng until they figure out the params, |
| 34 |
then use it as part of an SSP attack, however, its low on my list of |
| 35 |
fears... |
| 36 |
|
| 37 |
I can see that glibc previously used to use erandom, but this patch was |
| 38 |
dropped - any reason? |
| 39 |
|
| 40 |
Cheers |
| 41 |
|
| 42 |
Ed W |
Archives